In today’s environment, professional attackers know how to avoid your security technology by using social engineering and picking out human victims within your company. In fact, human targets have moved ahead of machines as the top target for cyber criminals. As noted by IDG’s publication, CSO, “Hackers smell blood now, not silicon.”
Your employees can be difficult to protect. Adversaries will use people’s emotions and their readiness to be helpful to obtain information that helps launch a highly targeted and often believable attack. Process and technology alone will not address this. Raising awareness and increasing vigilance will help you protect your employees and your organization. More importantly, it will help you build a culture of cybersecurity.
Targets of a social engineering attack need not be executive staff or members of the research department working on a secret project. More often criminals target a random employee they spied in advance to ensure the attack is formulated in a maximally convincing way.
They use social media to discover details about projects, names, dependencies between departments and individuals, and friendships between colleagues. Once they have the baseline information, it’s simple to approach an employee, appear legitimate, and obtain corporate information or access to corporate networks. Cyberattacks via social engineering are nothing more than old-school acquisition of information through hands-on research.
Posing Critical Questions
To get a feel for your organization’s vulnerability to social engineering, and the type of training that would be most effective, the IT team can pose specific questions to managers and employees, including senior-level executives and board members. Questions to ask include:
- What percentage of individuals have a general security awareness?
- What is the common understanding of cybersecurity across the people in your department? How does that change across the company?
- How well are the organization’s security experts understood, or do the IT and security teams speak a different language than the business people?
- What obstacles have data security concerns created at work?
- Has the security situation produced concerns, and what overreactions has it created?
- Who are the in-house social engineering or forensics experts, and how do they keep themselves updated?
The answers to these questions will be different, depending on the business unit. Executives at a regulated company handling health data might exhibit greater awareness than those at an unregulated company. The reality, however, is that every company is vulnerable, and every organization has data that needs to be protected.
In addition to posing questions to employees, organizations can benefit when senior-level executives pose specific questions to their cybersecurity leaders. These questions can help determine what intentions and goals they are trying to achieve with their cybersecurity investments:
- What is your intent with this investment? In other words, what are you protecting?
- What is the business impact of doing so?
- What is the business impact of not doing it?
- What is the risk of delaying the investment—can we delay it six months, or can we speed it up?
- Do we have anything similar already in place? Why is this not already sufficient?
Raising Awareness for Every Single Employee
Top executive management needs to be willing to bear the consequences of cyberattacks and ensure appropriate and balanced communications to all employees. There are some basic points I would urge all executives to look at within their departments and across their organizations.
Employees must be aware that information, such as, “Who is working where and with whom?” is extremely interesting for industrial spies and the people supplying them with background information. This is the same as it is in private life, where burglars are notified by Facebook when a house is empty due to a long-distance trip and where the house is located.
This example can easily be transferred to work life. Pictures from the last company party deliver information regarding which employee knows which colleague and what their names are. This might already be enough information to tune a spear-phishing email with personalized information and provoke the fatal click.
Obviously, you can’t prevent employees from using social media, but you can ask them not to post work-related information, i.e., people’s roles, names of projects, etc. These days, every comment on the web can manipulate public opinion regarding the employer or provide important information that adversaries can use to start an attack against IT or other departments.
Conclusion: We Are All United
Every employee on every level of the organization must be actively aware that he or she is personally responsible for data security and the image of the company. Only with continuous and engaging communication can security awareness be established and a culture of cybersecurity be developed. Only through constant vigilance can organizations ensure that security risks are identified and, even more importantly, reported.
It is also important that in-house security experts—and other leaders—network effectively and empower the right culture. By sharing information with colleagues from other companies, your IT and security teams will know what questions to ask internally. Leaders can learn from the failures of others, and also from their successes. In the war against cybercriminals, all companies must be united.